CJEU - C-383/23 - ILVA (Fine for an infringement of the GDPR): Difference between revisions
No edit summary |
No edit summary |
||
| Line 38: | Line 38: | ||
|Party_Link_2= | |Party_Link_2= | ||
|Reference_Body= | |Reference_Body=Vestre Landsret (Denmark) | ||
|Reference_Case_Number_Name= | |Reference_Case_Number_Name= | ||
| Line 45: | Line 45: | ||
}} | }} | ||
The court found that when a controller which is or forms part of an undertaking is fined for GDPR violations, the fine's maximum amount is based on a percentage of the | The court found that when a controller which is or forms part of an undertaking is fined for GDPR violations, the fine's maximum amount is based on a percentage of this undertaking’s and not only the controller's turnover. However, fine should reflect all relevant facts of the case. | ||
==English Summary== | ==English Summary== | ||
=== Facts === | === Facts === | ||
ILVA operates a chain of furniture stores and is part of the Lars Larsen Group. The total group turnover in the 2016/2017 financial year amounted to DKK6.57 Billion (approximately 881,000,000 €) and ILVA’s turnover amounted to almost DKK1.8 billion (approximately EUR 241 million) for the same financial year. | ILVA (the controller) operates a chain of furniture stores and is part of the Lars Larsen Group (the undertaking). The total group turnover in the 2016/2017 financial year amounted to DKK6.57 Billion (approximately 881,000,000 €) and ILVA’s turnover amounted to almost DKK1.8 billion (approximately EUR 241 million) for the same financial year. ILVA is charged before the Danish courts with having failed, to fulfil its GDPR obligations as controller in relation to the retention of the data of at least 350,000 former customers. | ||
On the recommendation of the Danish DPA, the Public Prosecutor’s Office sought the imposition of a fine of DKK 1.5 million (approximately 201,000€) on ILVA. The calculation of that amount was based not only on the turnover of ILVA, but also on the overall turnover of the Lars Larsen Group. | |||
By judgment of 12 February 2021, the Aarhus District Court (Retten i Aarhus) found that since the charges had been brought only against ILVA, it was not necessary to take into account the turnover of the undertaking to determine the amount of the fine. Furthermore, the court noted that ILVA was engaged in an independent retail activity and that it had not been set up by the parent company for the sole purpose of processing the undertaking's data. | |||
The Public Prosecutor’s Office appealed to the High Court of Western Denmark (Vestre Landsret), which decided to stay the proceedings and to request a preliminary ruling asking in essence, whether [[Article 83 GDPR|Article 83(4) to (6) GDPR]], read in the light of Recital 150, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller of personal data which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year, within the meaning of Articles 101 and 102 TFEU. | |||
The | === Advocate General Opinion === | ||
The AG decided to examine both questions together. The AG emphasised that the notion of “undertaking” has been recently interpreted by the CJEU in case [[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen|C-807/21 Deutsche Wohnen]]. According to the CJEU, the undertaking should be understood in line with EU competition law and Article 101 and Article 102 TFEU. In particular, it is “entity engaged in an economic activity”, no matter its legal form. When it comes to calculations of a fine, it is the undertaking turnover that should be its basis. | |||
In the case at hand, the AG drew the attention to the influence of the parent company on the companies within the group. That influence, as defined in the CJEU case law, amounts, for example, to appointing members of boards of directors or calling shareholders meetings. If the parent company “exercise decisive influence” over the controller, then the undertaking under [[Article 83 GDPR#5|Article 83(5) GDPR]] would consist of: 1) the controller, 2) the parent company, 3) other companies under decisive influence of the parent company. | |||
Consequently, the group turnover would form a baseline for the calculation of maximum fine. | |||
Nevertheless, the AG pointed out the rules to calculate the maximum fine applicable don’t have to be applied as “the main or only reference for setting the actual fine”. This is because the actual fine should reflect all facts of the case, including all aggravating and extenuating circumstances. The AG underlined that one of relevant circumstance is the role of members of undertaking in violation committed. | |||
Additionally, the AG suggested that guarantees of fair criminal proceedings has to be followed as well. Especially, the principle of proportionality must be observed. | |||
In conclusion, the AG suggested to consider the following when using the concept of the ''undertaking'' in order to determine the amount of the actual fine under [[Article 83 GDPR]]: | |||
“First, it should be evaluated whether the parent company has exercised its decision-making power with respect to specific activities of the controller or the processor at issue in the GDPR infringement(s). Second, it needs to be considered whether specific data processing infringing the GDPR relates to the company concerned and/or to the whole group. Third, it is necessary to establish whether more than one company forming part of the group was involved in the GDPR infringement(s).” | |||
=== Holding === | |||
The Court stated that the concept of ‘undertaking’ in [[Article 83 GDPR|Article 83(4) to (6) GDPR]] is relevant only for the purpose of determining the amount of the administrative fine imposed on a controller. The court defined an undertaking as an economic unit even if in law that economic unit consists of several persons, natural or legal and a concept for applying competition rules. The court stated that it had previously ruled in [[CJEU - C-807/21 - Deutsche Wohnen|C‑807/21 Deutsche Wohnen]] that [[Article 83 GDPR|Article 83(4) to (6) GDPR]] must be interpreted to mean, that where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned. | |||
However, under Article 83(1) GDPR, each DPA is to ensure that administrative fines imposed pursuant to Article 83 in respect of infringements of the GDPR referred to in paragraphs 4 to 6 thereof are in each individual case effective, proportionate and dissuasive. Additionally, Article 83(2) GDPR requires that the competent DPA, when deciding whether it is necessary to impose an administrative fine and when setting the amount of that fine in each individual case, have due regard to a number of factors serving to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved. | However, under Article 83(1) GDPR, each DPA is to ensure that administrative fines imposed pursuant to Article 83 in respect of infringements of the GDPR referred to in paragraphs 4 to 6 thereof are in each individual case effective, proportionate and dissuasive. Additionally, Article 83(2) GDPR requires that the competent DPA, when deciding whether it is necessary to impose an administrative fine and when setting the amount of that fine in each individual case, have due regard to a number of factors serving to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved. | ||
Revision as of 14:30, 14 February 2025
| CJEU - C‑383/23 ILVA | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 83(4) GDPR Article 83(5) GDPR Article 83(6) GDPR Article 83(9) GDPR |
| Decided: | 13.02.2025 |
| Parties: | |
| Case Number/Name: | C‑383/23 ILVA |
| European Case Law Identifier: | ECLI:EU:C:2025:84 |
| Reference from: | Vestre Landsret (Denmark) |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | tjk |
The court found that when a controller which is or forms part of an undertaking is fined for GDPR violations, the fine's maximum amount is based on a percentage of this undertaking’s and not only the controller's turnover. However, fine should reflect all relevant facts of the case.
English Summary
Facts
ILVA (the controller) operates a chain of furniture stores and is part of the Lars Larsen Group (the undertaking). The total group turnover in the 2016/2017 financial year amounted to DKK6.57 Billion (approximately 881,000,000 €) and ILVA’s turnover amounted to almost DKK1.8 billion (approximately EUR 241 million) for the same financial year. ILVA is charged before the Danish courts with having failed, to fulfil its GDPR obligations as controller in relation to the retention of the data of at least 350,000 former customers.
On the recommendation of the Danish DPA, the Public Prosecutor’s Office sought the imposition of a fine of DKK 1.5 million (approximately 201,000€) on ILVA. The calculation of that amount was based not only on the turnover of ILVA, but also on the overall turnover of the Lars Larsen Group.
By judgment of 12 February 2021, the Aarhus District Court (Retten i Aarhus) found that since the charges had been brought only against ILVA, it was not necessary to take into account the turnover of the undertaking to determine the amount of the fine. Furthermore, the court noted that ILVA was engaged in an independent retail activity and that it had not been set up by the parent company for the sole purpose of processing the undertaking's data.
The Public Prosecutor’s Office appealed to the High Court of Western Denmark (Vestre Landsret), which decided to stay the proceedings and to request a preliminary ruling asking in essence, whether Article 83(4) to (6) GDPR, read in the light of Recital 150, must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for infringement of the GDPR is imposed on a controller of personal data which is or forms part of an undertaking, the amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year, within the meaning of Articles 101 and 102 TFEU.
Advocate General Opinion
The AG decided to examine both questions together. The AG emphasised that the notion of “undertaking” has been recently interpreted by the CJEU in case C-807/21 Deutsche Wohnen. According to the CJEU, the undertaking should be understood in line with EU competition law and Article 101 and Article 102 TFEU. In particular, it is “entity engaged in an economic activity”, no matter its legal form. When it comes to calculations of a fine, it is the undertaking turnover that should be its basis.
In the case at hand, the AG drew the attention to the influence of the parent company on the companies within the group. That influence, as defined in the CJEU case law, amounts, for example, to appointing members of boards of directors or calling shareholders meetings. If the parent company “exercise decisive influence” over the controller, then the undertaking under Article 83(5) GDPR would consist of: 1) the controller, 2) the parent company, 3) other companies under decisive influence of the parent company.
Consequently, the group turnover would form a baseline for the calculation of maximum fine.
Nevertheless, the AG pointed out the rules to calculate the maximum fine applicable don’t have to be applied as “the main or only reference for setting the actual fine”. This is because the actual fine should reflect all facts of the case, including all aggravating and extenuating circumstances. The AG underlined that one of relevant circumstance is the role of members of undertaking in violation committed.
Additionally, the AG suggested that guarantees of fair criminal proceedings has to be followed as well. Especially, the principle of proportionality must be observed.
In conclusion, the AG suggested to consider the following when using the concept of the undertaking in order to determine the amount of the actual fine under Article 83 GDPR:
“First, it should be evaluated whether the parent company has exercised its decision-making power with respect to specific activities of the controller or the processor at issue in the GDPR infringement(s). Second, it needs to be considered whether specific data processing infringing the GDPR relates to the company concerned and/or to the whole group. Third, it is necessary to establish whether more than one company forming part of the group was involved in the GDPR infringement(s).”
Holding
The Court stated that the concept of ‘undertaking’ in Article 83(4) to (6) GDPR is relevant only for the purpose of determining the amount of the administrative fine imposed on a controller. The court defined an undertaking as an economic unit even if in law that economic unit consists of several persons, natural or legal and a concept for applying competition rules. The court stated that it had previously ruled in C‑807/21 Deutsche Wohnen that Article 83(4) to (6) GDPR must be interpreted to mean, that where the addressee of the administrative fine is or forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover in the preceding business year of the undertaking concerned.
However, under Article 83(1) GDPR, each DPA is to ensure that administrative fines imposed pursuant to Article 83 in respect of infringements of the GDPR referred to in paragraphs 4 to 6 thereof are in each individual case effective, proportionate and dissuasive. Additionally, Article 83(2) GDPR requires that the competent DPA, when deciding whether it is necessary to impose an administrative fine and when setting the amount of that fine in each individual case, have due regard to a number of factors serving to ensure that each of those infringements is assessed on the basis of all the relevant individual circumstances and that the objectives pursued by the system of penalties provided for in the GDPR are achieved.
Although those factors do not make reference to the concept of an undertaking, within the meaning of Articles 101 and 102 TFEU, the Court has already ruled that only a fine which takes into account where appropriate, the actual or material economic capacity of the person on which the fine is imposed is effective, proportionate and dissuasive. In order to assess those conditions, it is necessary to take account of whether that person forms part of an undertaking, within the meaning of Articles 101 and 102 TFEU.
The court found, that the interpretation of Article 83 GDPR is also applicable where the established infringements of the GDPR by the competent national courts as a criminal penalty as Article 83(9) GDPR provides that - when a jurisdiction does not allow for administrative fines under the GDPR - Article 83 may be applied in such a manner that the fine is initiated by the competent DPA and imposed by competent national courts. Rrecital 151 further specifies that the administrative fines imposed by DPAs are to be effective, proportionate and dissuasive.
Thus, the court found that Article 83(4) to (6) GDPR, read in the light of Recital 150 , must be interpreted as meaning that the term ‘undertaking’ in those provisions corresponds to the concept of ‘undertaking’, within the meaning of Articles 101 and 102 TFEU, with the result that, where a fine for a GDPR infringement is imposed on a controller of personal data which is or forms part of an undertaking, the maximum amount of the fine is to be determined on the basis of a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account in order to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
